Insecure Temporary File in huggingface/transformers
Jan 5th 2023
transformers package is using the deprecated function
tempfile.mktemp() which is not secure. Because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.
Functions that create temporary file names (such as tempfile.mktemp()) are fundamentally insecure, as they do not ensure exclusive access to a file with the temporary name they return. The file name returned by these functions is guaranteed to be unique on creation but the file must be opened in a separate operation. There is no guarantee that the creation and open operations will happen atomically. This provides an opportunity for an attacker to interfere with the file before it is opened.
Use mkstemp() instead of tempfile.mktemp().
Availability will get affected because of this vulnerability.
Hi @admin my patch is merged into the main branch. https://github.com/huggingface/transformers/pull/23372 https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43
Accidentally I deleted my forked repository. Can you please suggest me a way to get a fixed bounty? Thanks.
Hi ready-research, it looks like you've still be awarded the fix bounty - let me know if there's any other issues I can help with.